Hi there,
On Sun, 21 Feb 2021, Joe Acquisto-j4 wrote:
> clamd is running. I thought I read it does not have to be as
> clamav-milter is capable of running mail scans without. But I could
> be mistaken.
If you did read that, whoever wrote it is mistaken. If you imagined
it, please try not to do that because it isn't helpful. Note that
it's called clamav-milter (I've taken the liberty correcting your
text) and it's more or less just an interface between an MTA and the
clamd daemon - although it is quite capable, for example it can offer
fault tolerance by handling clamd multiple daemons on multiple servers.
Its configuration and the configuration of the MTA are the first thing
we need to get right - they need to agree with each other, because the
configuration of the MTA tells the MTA how to talk to the milter, and
milter configuration tells the milter how to talk back to the MTA. So:
> Logging is enabled ...
That's good.
> myhost:~ # clamd zPING
> Sun Feb 21 18:34:45 2021 -> !TCP: Cannot bind to [127.0.0.1]:3310: Address already in use
> Sun Feb 21 18:34:45 2021 -> !LOCAL: Socket file /var/run/clamav/clamd-socket is in use by another process.
> Sun Feb 21 18:34:45 2021 -> *Closing the main socket.
This is confusing. What you've written there looks like you've given
the result on the screen of a command-line command. First off that
command line command is nonsense (read the 'man' page for clamd) and
secondly what comes after it is taken from the log. You need to be
clear about what you're doing. I was clear in my example PING that I
connected to the daemon by using 'telnet'. You should do the same, or
(as you discovered later) by piping through something like netcat,
socat, or whatever. The error message in the log from the clamd which
you tried to start at the command line with your 'clamd zPING' command
is simply the new clamd that you're trying to start trying to open the
port that's configured in clamd.conf and finding that there's already
something using that port. The something already using that port is
of course the running clamd daemon. I asked you to talk to the daemon,
not to try to start another one. You *can* start more clamd daemons,
but they each need to have their own unique communication channel, so
they each would need to have a separate file like clamd.conf - when I
run multiple daemons on the same box I have clamd1.conf, clamd2.conf,
and so on, with each daemon using a different port from the default.
You don't need multiplpe clamd daemons at this stage. Probably never.
>> 3. Can you scan things with the 'clamdscan' command? Note the 'd' in
>> 'clamdscan'. Don't use 'clamscan', because that doesn't use clamd.
>
> myhost:~ # clamdscan eicar.txt
> /root/eicar.txt: lstat() failed: Permission denied. ERROR
This is a kind of progress. Put the eicar.txt file in /tmp instead of
/root, with world read permissions, and try again.
>> 5. Anything interesting in the Postfix logs? Can you increase the
>> logging verbosity?
>
> Nothing "new" far as I can tell.
We'll look at the log verbosity later.
>> 6. What happens if you mail to yourself something containing the
>> EICAR test file? Check all your log files as well as looking
>> for mail headers etc.
>
> That has proven difficult as every place I have an email client out in
> the great wilderness, has strict checking and blocks EICAR ...
Can you not simply use your own mail server to send yourself mail??
> I've resorted to a site that purports to send EICAR test email
> "as a public service" sort of thing, in the past.
So did you try it? What happened?
>> 7. Please also let us have the output of
>>
>> clamconf -n
Unfortunately your configuration is rather a mess.
> Config file: clamd.conf
> -----------------------
> ...
> PidFile = "/var/run/clamav/clamd.pid"
> LocalSocket = "/var/run/clamav/clamd-socket"
In passing I note the PID file is under /var/run/. We'll come back to
that later. Because clamd is supposed to be talking to clamav-milter,
the local socket above needs to be exactly the same in clamd.conf as
it is in clamav-milter.conf (er, you might say, obviously). It isn't.
> TCPSocket = "3310"
> TCPAddr = "127.0.0.1"
If everything is on the same machine, all the processes can use local
(Unix-type) sockets to talk to each other. That means you don't need
TCP sockets, which use a completely different communication technology
(in fact the same TCP/IP which you use for email, browsing etc. etc.).
So the TCPxxx settings might not be needed, but they're useful (they
have already been useful to us) e.g. for testing and investigation.
Anyway (1) you need to tell the different processes consistent things,
so that they aren't talking to a brick wall; (2) just because you have
a process listening on a port, doesn't necessarily mean that you have
to be using that port; and (3) open TCP ports that you aren't using
can be a security issue. So if you use clamd carelessly, you might be
a bigger threat to your system than the Bad Guys are because you might
be giving them an easy way in. There is no security on the clamd port
so anyone who can connect to port 3310 can for example tell clamd to
shut down. And as it's greater than 1024, *anyone* can connect to it.
> ...
> User = "vscan"
> ...
You will probably want the 'vscan' user to be able to read anything
that you want to scan. This user probably can't read a file in /root
for example, which is why I suggest putting the file in /tmp (which is
very likely to have world read permission) and making sure that the
file itself has world read permission.
> Config file: freshclam.conf
> ---------------------------
> ...
> PidFile = "/var/run/clamav/freshclam.pid"
In passing I note the PID file is under /var/run/, we'll come back to
that very soon.
> ...
> Config file: clamav-milter.conf
> -------------------------------
> ...
> PidFile = "/run/clamav/clamav-milter.pid"
I note the PID file is under /run/ and we've now come back to that.
Why is this PID file under /run/ when the others are under /var/run/?
It isn't necessarily wrong but it's likely to cause confusion, and you
evidently have quite enough of that already. If you can inject some
consistency into the configuration you'll find it all a lot easier.
> ClamdSocket = "unix:/run/clamav/clamd-socket"
This should be the same socket that you have configured in the clamd
daemon. It isn't, so the milter can't talk to the daemon.
> MilterSocket = "/run/clamav/clamav-milter-socket"
This should be the same socket that you have configured in MTA (that
is, in your case, Postfix). I don't know if it is because I can't see
what you've got in main.cf for the milter connection. Is it the same?
> Version: 0.103.0
Fine.
> Database information
Looks good.
> Oh, I wonder if the OS upgrade grabbed the ports on the QT?
Nope.
> After I look into how to look into that, if you get my drift. After
> a few months I need to retrain the idle brain.
If you're going to run your own mail server, ALL this stuff needs to
be at your fingertips. If it isn't, you're just going to be getting
in your own way (and in everyone else's way).
> Also wondering in main.cf (postfix) is the only place I need to add
> Clamav directives. master.cf has a spot for Spamassassin as a
> "filter" and commented out stuff for amavis.
https://www.oreilly.com/library/view/postfix-the-definitive/0596002122/ch04s05.html Don't forget that I don't use Postfix, so check everything I've said
is right for your installation. There may well be little quirks with
Postfix that I don't know about. It's all very similar with the MTA
that I do use (Sendmail) but I can't be quite so sure with Postfix as
I can with Sendmail.
Fundamentally you need Postfix to know how to talk to clamav-milter,
clamav-milter to know how to talk to clamd, and the same in the other
direction; clamd needs to know how to talk to clamav-milter, and the
milter needs to know how to talk to Postfix. That's more or less all
there is to it as far as the communications between the processes is
concerned, but then you have to configure it all to do what you want
it to do of course. I see that you've started on that already with
things like detecting PUAs.
--
73,
Ged.
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml